CAESAR is a compiler that translates the behavioural part of a LOTOS
specification into either a C program (to be executed or simulated)
or into an LTS (to be verified using bisimulation tools and/or temporal
logic evaluators).

For instance, one can check the LTS of a protocol against the
LTS of the service implemented by the protocol. Both LTSs are
generated using CAESAR and compared using BISIMULATOR. It is
also possible to specify protocol properties using temporal
logic formulas that can be evaluated on the protocol LTS.

CAESAR translation algorithms proceed in several steps.
First the LOTOS description is translated into a simplified
process algebra called SUBLOTOS. Then an intermediate Petri
Net model is generated, which provides a compact, structured
and user-readable representation of both the control and
data flow. Eventually the LTS is produced by performing
reachability analysis on the Petri net.

CAESAR accepts full LOTOS with the following restriction as
regards the control part: process recursion is not allowed
on the left and right hand part of |[...]|, nor on the left
hand part of >> and [>. Despite these restrictions, the
subset of LOTOS handled by CAESAR is large and usually
sufficient for real-life needs.

The current version of CAESAR allows the generation of large
LTSs (some million states) within a reasonable lapse of
time. Moreover, the efficient compiling algorithms of CAESAR
can also be exploited in the framework of the OPEN/CAESAR
environment (see below).

The most recent version of CAESAR provides a functionality
called EXEC/CAESAR for C code generation. This C code
interfaces with the real world, and can be embedded in
applications. This allows rapid prototyping directly from the
LOTOS specification.

CAESAR.ADT is a compiler that translates the data part of
LOTOS specifications into libraries of C types and functions.

Each LOTOS sort is translated into an equivalent C type and
each LOTOS operation is translated into an equivalent C
function (or macro-definition). CAESAR.ADT also generates C
functions for comparing and printing abstract data types
values, as well as iterators for the sorts the domain of
which is finite.

One must indicate to CAESAR.ADT which LOTOS operations are
``constructors'' and which are not (fairly obvious, in
practice). CAESAR.ADT does not allow non-free constructors
(``equations between constructors''). However, it is always
possible to transform a LOTOS specification in order to remove
equations between constructors.

CAESAR.ADT accepts fulls LOTOS with the following restriction,
as regards the data part: so-called "constructor discipline"
has to be enforced: constructor operations must be identified;
equations are oriented; there is a decreasing priority between
equations; equations between constructors are not allowed.
Also, parametrized types are not compiled (yet).

CAESAR.ADT is fast: translation of large programs (several
hundreds of lines) is usually achieved in a few seconds.
CAESAR.ADT can be used in conjunction with CAESAR, but it can
also be used separately to compile and execute efficiently
large abstract data types descriptions.

BCG (Binary-Coded Graphs) is both a format for the
representation of explicit LTSs and a collection of libraries
and programs dealing with this format. Compared to ASCII-based
formats for LTSs, the BCG format uses a binary representation
with compression techniques resulting in much smaller (up to
20 times) files. BCG is independent from any source language
but keeps track of the objects (types, functions, variables)
defined in the source programs.
The following tools are currently available for this format:

OPEN/CAESAR is an extensible, language-independent environment
that allows user-defined programs for simulation,
execution, verification (partial, on-the-fly, etc.), and test
generation to be developed in a simple and modular way.
Various modules have already been written in the OPEN/CAESAR
framework, including:

BISIMULATOR is an equivalence checker, which takes as input two graphs
to be compared (one represented implicitly using the OPEN/CAESAR
environment, the other represented explicitly as a BCG file) and
determines whether they are equivalent (modulo a given equivalence
relation) or whether one of them is included in the other (modulo a
given preorder relation). BISIMULATOR works on the fly, meaning that
only those parts of the implicit graph pertinent to verification are
explored. Due to the use of OPEN/CAESAR, BISIMULATOR can be applied
directly to descriptions written in high level languages (for instance,
LOTOS). This is a significant improvement compared to older tools
(such as ALDEBARAN and FC2IMPLICIT) which only accepted lower level
models (networks of communicating automata).

BISIMULATOR works by reformulating the graph comparison problem in
terms of a boolean equation system, which is solved on the fly using
the CAESAR_SOLVE library. A useful functionality of BISIMULATOR is the
generation of a ``negative'' diagnostic (i.e., a counterexample), which
explains why two graphs are not equivalent (or not included one in the
other). The diagnostics generated by BISIMULATOR are directed acyclic
graphs and are usually much smaller than those generated by other tools
(such as ALDEBARAN), which can only generate counterexamples restricted
to sets of traces.

REDUCTOR is a reachability analysis tool combined with on-the-fly
reduction modulo various relations. It operates on graphs represented
implicitly using the OPEN/CAESAR environment and provides eight
reduction algorithms:

It can eliminate both tau-transitions and the so-called
redundant transitions, still preserving safety equivalence.

It can eliminate all tau-transitions, still preserving tau*.a
equivalence.

It can eliminate all circuits of tau-transitions, still
preserving branching equivalence (this reduction is called
tau-compression).

It can perform tau-confluence reduction, still preserving
branching equivalence.

It can eliminate duplicate transitions, still preserving strong
equivalence.

It can determinize the graph, still preserving trace
equivalence.

It can both eliminate tau-transitions and determinize the graph,
still preserving weak trace equivalence.

It can fully minimize the graph modulo strong equivalence.

The 1st, 4th, and 8th reductions above are obtained by encoding the
reduction problem into a boolean equation system that is resolved on
the fly using the CAESAR_SOLVE library. The 8th reduction is
``orthogonal'' with the first five reductions in the sense that it can
be combined with any of them.

EVALUATOR is an on-the-fly model-checker for regular alternation-free
mu-calculus formulas on Labelled Transition Systems. The input language
of EVALUATOR is an extension of the alternation-free mu-calculus with
boolean formulas over actions and regular expressions over action
sequences, allowing a simple, compact specification of safety,
liveness, and fairness properties. The input language is extensible,
due to a macro-expansion and a file inclusion mechanism, which allows
to define reusable libraries of new temporal operators.
The model-checking algorithms of EVALUATOR are based on the efficient
local resolution of boolean equation systems. EVALUATOR is equipped
with diagnostic generation algorithms, which construct both examples
and counterexamples (i.e., portions of LTS explaining why a formula
is true or false).

XTL (eXecutable Temporal Language) is a functional-like programming language
designed to allow an easy, compact implementation of various temporal
logic operators. These operators are evaluated over an LTS encoded in
the BCG format. Besides the usual predefined types (booleans,
integers, etc.), the XTL language defines special types, such as sets of
states, transitions, and labels of the LTS. It offers primitives to
access the informations contained in states and labels, to obtain the
initial state, and to compute the successors and predecessors of states
and transitions. The temporal operators can be easily implemented
using these functions together with recursive user-defined functions
working with sets of states and/or transitions of the LTS.
A prototype compiler for XTL has been developed, and several temporal
logics like HML, CTL, ACTL and LTAC have been easily implemented in XTL.

EXP.OPEN is a tool that explores on the fly the graph corresponding to
a network of communicating automata (represented as a set of BCG
files). These automata are composed together in parallel using either
algebraic operators (as in CCS, CSP, LOTOS, and muCRL), ``graphical''
operators (as in E-LOTOS and LNT), or synchronization vectors (as
in the MEC and FC2 tools). Additional operators are available to hide
and/or rename labels (using regular expressions) and to cut certain
transitions.

PROJECTOR is a tool that abstracts the behaviour of an OPEN/CAESAR
graph by taking into account interface constraints represented as a
BCG graph and a set of synchronization labels. The result is a BCG
graph which consists of the states and transitions of the input
OPEN/CAESAR graph that are reachable when computing the product of
the input OPEN/CAESAR graph with the interface, synchronized on the
given set of synchronization labels.

SVL (Script Verification Language) is a scripting language that targets
at simplifying and automating the verification of LOTOS programs.
SVL behaves as a tool-independent coordination language on top of
CADP, in the same way as EUCALYPTUS is a tool-independent graphical
user interface.

A compiler for SVL has been developed, which translates an SVL
verification scenario into a Bourne shell script, which will perform
all the operations needed to execute the verification scenario, e.g.,
invoking verification tools with appropriate options and parameters,
generating intermediate files, etc.

SVL has been used in several case-studies: most of the CADP demo
examples take advantage of SVL readability and conciseness.

8. CADP tools for distributed verification

To push forward the limits of enumerative verification algorithms, CADP
includes tools to parallelize the graph construction algorithm, which can
be used on clusters of PCs and networks of workstations.

DISTRIBUTOR splits the construction of a graph over N machines
communicating using Tcp/Ip sockets. Each machine builds a graph
fragment, the distribution of states between the machines being
determined by a static hash function.

SEQ.OPEN is a tool which allows to verify execution traces generated
by a system functioning as a black-box automatically. SEQ.OPEN
allows to use the verification tools developed in the OPEN/CAESAR
environment to work on traces encoded in the SEQ format. SEQ.OPEN
does not load the execution traces in memory, which allows to verify
very long traces, and uses a software cache to optimize access to
frequently visited transitions and labels.

TGV is a tool for the generation of conformance test suites based on
verification technology (jointly developed by the PAMPA team of INRIA
Rennes and the Verimag laboratory and integrated into the CADP toolbox
with the help of the VASY team). TGV takes as entries a description of
a protocol's behaviour and a test purpose, which selects the subset of
the protocol's behaviour to be tested. It produces test suites, which
are used to assess the conformance of a protocol implementation with
respect to the formal specification of the protocol.

10. CADP tools for performance evaluation

The BCG graph format allows to represent graphs consisting of a
combination of normal transitions, probabilistic transitions, and
stochastic transitions. Thus, the BCG graph format allows to encode
several kinds of (discrete or continuous time) Markov models, which
can be used to analyse the performance of a system. CADP contains
several tools which allow to analyse such graphs.

CUNCTATOR takes as input a Continuous Time Markov Chain expressed
as an implicit OPEN/CAESAR graph, performs an on-the-fly
steady-state simulation whose termination is specified by a maximal
virtual time elapsed or by a maximal number of transitions explored,
and outputs the equilibrium throughputs for a given set of actions.

BCG_STEADY performs steady-state analysis on a Continuous Time Markov
Chain encoded in the BCG format. It computes the equilibrium
(steady-state) probability distribution on the long run using
the Gauss/Seidel algorithm and can also compute throughputs for the
transitions of the system.

BCG_TRANSIENT performs transient analysis on a Continuous Time Markov
Chain encoded in the BCG format. It computes the time-dependent
(transient) probability distribution of the model at several
(user-specified) time instants using the uniformization algorithm and
the Fox-Glynn method to approximate Poisson probabilities and can also
compute throughputs for the transitions of the system.

EUCALYPTUS is a graphical user interface written in Tcl/Tk
that integrates CADP and several other tools developed
(APERO (Liege, Belgium), ELUDO (Ottawa, Canada),
FC2TOOLS (Sophia-Antipolis, France),
VISCOPE (Rennes, France)) in a unified, user-friendly interface.
This interface has the name of the project within which it was
developed: the euro-canadian project
"
EUCALYPTUS"

TST is a tool which checks the way CADP is installed and configured
on the current machine in order to detect potential problems. Many
verifications are performed, most of which derived from common
problems reported by CADP users.